Merge branch 'lts-1-6-stable' into masquerade-1-6-lts-as-1.4.7-for-rails-3-compat

Author: hfsaito

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    rack (1.6.13)
+    rack (1.6.13.14)
 
 GEM
   remote: https://rubygems.org/

README.md

@@ -12,10 +12,12 @@ Rack applications should conform to.
 This is a fork of the official [rack gem](https://github.com/rack/rack) with
 backported security fixes for:
 
+*   [rack 2.2](https://github.com/rails-lts/rack/tree/lts-2-2-stable)
+    (CWE-444)
 *   [rack 1.6](https://github.com/rails-lts/rack/tree/lts-1-6-stable)
-    (CVE-2020-8161, CVE-2020-8184, CVE-2022-30122, CVE-2022-30123)
+    (CVE-2020-8161, CVE-2020-8184, CVE-2022-30122, CVE-2022-30123, CWE-444, CVE-2022-44570, CVE-2022-44571, CVE-2023-27530, CVE-2023-27539, CVE-2024-25126, CVE-2024-26141, CVE-2024-26146)
 *   [rack 1.4](https://github.com/rails-lts/rack/tree/lts-rack-1.4)
-    (CVE-2018-16471, CVE-2020-8161, CVE-2020-8184, CVE-2022-30122, CVE-2022-30123)
+    (CVE-2018-16471, CVE-2020-8161, CVE-2020-8184, CVE-2022-30122, CVE-2022-30123, CWE-444, CWE-290, CVE-2022-44570, CVE-2022-44571, CVE-2023-27530, CVE-2023-27539, CVE-2024-25126, CVE-2024-26141, CVE-2024-26146)
 
 
 To use it, you need to add it to the Gemfile like this:
@@ -216,17 +218,32 @@ helps prevent a rogue client from flooding a Request.
 
 Default to 65536 characters (4 kiB in worst case).
 
-### multipart_part_limit
+### multipart_file_limit
 
-The maximum number of parts a request can contain. Accepting too many part can
+The maximum number of parts with a filename a request can contain. Accepting too many part can
 lead to the server running out of file handles.
 
 The default is 128, which means that a single request can't upload more than
 128 files at once.
 
 Set to 0 for no limit.
 
-Can also be set via the RACK_MULTIPART_PART_LIMIT environment variable.
+Can also be set via the `RACK_MULTIPART_PART_LIMIT` environment variable.
+
+(This is also aliased as `multipart_part_limit` and `RACK_MULTIPART_PART_LIMIT` for compatibility)
+
+### multipart_total_part_limit
+
+The maximum total number of parts a request can contain of any type, including
+both file and non-file form fields.
+
+The default is 4096, which means that a single request can't contain more than
+4096 parts.
+
+Set to 0 for no limit.
+
+Can also be set via the `RACK_MULTIPART_TOTAL_PART_LIMIT` environment variable.
+
 
 ## History
 

Rakefile

@@ -86,7 +86,7 @@ task :test => 'SPEC' do
   specopts = ENV['TESTOPTS'] ||
     "-q -t '^(?!Rack::Adapter|Rack::Session::Memcache|Rack::Server|Rack::Handler)'"
 
-  sh "bacon -w -I./lib:./test #{opts} #{specopts}"
+  sh "bacon -I./lib:./test #{opts} #{specopts}"
 end
 
 desc "Run all the tests we run on CI"
@@ -96,7 +96,7 @@ desc "Run all the tests"
 task :fulltest => %w[SPEC chmod] do
   opts     = ENV['TEST'] || '-a'
   specopts = ENV['TESTOPTS'] || '-q'
-  sh "bacon -r./test/gemloader -I./lib:./test -w #{opts} #{specopts}"
+  sh "bacon -r./test/gemloader -I./lib:./test #{opts} #{specopts}"
 end
 
 task :gem => ["SPEC"] do

lib/rack/multipart.rb

@@ -17,7 +17,7 @@ module Multipart
     VALUE = /"(?:\\"|[^"])*"|#{TOKEN}/
     BROKEN = /^#{CONDISP}.*;\s*filename=(#{VALUE})/i
     MULTIPART_CONTENT_TYPE = /Content-Type: (.*)#{EOL}/ni
-    MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:.*\s+name="?([^\";]*)"?/ni
+    MULTIPART_CONTENT_DISPOSITION = /Content-Disposition:[^:]*;\s+name="?([^\";]*)"?/ni
     MULTIPART_CONTENT_ID = /Content-ID:\s*([^#{EOL}]*)/ni
 
     class << self

lib/rack/multipart/parser.rb

@@ -3,6 +3,7 @@
 module Rack
   module Multipart
     class MultipartPartLimitError < Errno::EMFILE; end
+    class MultipartTotalPartLimitError < StandardError; end
 
     class Parser
       BUFSIZE = 16384
@@ -52,14 +53,25 @@ def parse
         fast_forward_to_first_boundary
 
         opened_files = 0
+        parts = 0
         loop do
-
           head, filename, content_type, name, body =
             get_current_head_and_filename_and_content_type_and_name_and_body
 
           if Utils.multipart_part_limit > 0
             opened_files += 1 if filename
-            raise MultipartPartLimitError, 'Maximum file multiparts in content reached' if opened_files >= Utils.multipart_part_limit
+            if opened_files >= Utils.multipart_part_limit
+              close_tempfiles
+              raise MultipartPartLimitError, 'Maximum file multiparts in content reached'
+            end
+          end
+
+          if Utils.multipart_total_part_limit > 0
+            parts += 1
+            if parts >= Utils.multipart_total_part_limit
+              close_tempfiles
+              raise MultipartTotalPartLimitError, 'Maximum total multiparts in content reached' 
+            end
           end
 
           # Save the rest.
@@ -178,6 +190,10 @@ def get_filename(head)
         filename
       end
 
+      def close_tempfiles
+        (@env['rack.tempfiles'] || []).each(&:close!)
+      end
+
       if "<3".respond_to? :valid_encoding?
         def scrub_filename(filename)
           unless filename.valid_encoding?

lib/rack/request.rb

@@ -42,7 +42,11 @@ def logger;          @env['rack.logger']                      end
     # For more information on the use of media types in HTTP, see:
     # http://www.w3.org/Protocols/rfc2616/rfc2616-sec3.html#sec3.7
     def media_type
-      content_type && content_type.split(/\s*[;,]\s*/, 2).first.downcase
+      if content_type && (type = content_type.split(/[;,]/, 2).first)
+        type.rstrip!
+        type.downcase!
+        type
+      end
     end
 
     # The media type parameters provided in CONTENT_TYPE as a Hash, or
@@ -52,8 +56,8 @@ def media_type
     #   { 'charset' => 'utf-8' }
     def media_type_params
       return {} if content_type.nil?
-      Hash[*content_type.split(/\s*[;,]\s*/)[1..-1].
-        collect { |s| s.split('=', 2) }.
+      Hash[*content_type.split(/[;,]/)[1..-1].
+        collect { |s| s.strip.split('=', 2) }.
         map { |k,v| [k.downcase, strip_doublequotes(v)] }.flatten]
     end
 
@@ -188,7 +192,7 @@ def GET
       if @env["rack.request.query_string"] == query_string
         @env["rack.request.query_hash"]
       else
-        p = parse_query({ :query => query_string, :separator => '&;' })
+        p = parse_query({ :query => query_string, :separator => '&' })
         @env["rack.request.query_string"] = query_string
         @env["rack.request.query_hash"]   = p
       end
@@ -383,8 +387,8 @@ def parse_multipart(env)
       end
 
       def parse_http_accept_header(header)
-        header.to_s.split(/\s*,\s*/).map do |part|
-          attribute, parameters = part.split(/\s*;\s*/, 2)
+        header.to_s.split(",").each(&:strip!).map do |part|
+          attribute, parameters = part.split(";", 2).each(&:strip!)
           quality = 1.0
           if parameters and /\Aq=([\d.]+)/ =~ parameters
             quality = $1.to_f

lib/rack/server.rb

@@ -284,7 +284,11 @@ def start &blk
         end
       end
 
-      server.run wrapped_app, options, &blk
+      if RUBY_VERSION >= '3'
+        server.run wrapped_app, **options, &blk
+      else
+        server.run wrapped_app, options, &blk
+      end
     end
 
     def server

lib/rack/tempfile_reaper.rb

@@ -12,11 +12,24 @@ def initialize(app)
 
     def call(env)
       env['rack.tempfiles'] ||= []
-      status, headers, body = @app.call(env)
+
+      begin
+        status, headers, body = @app.call(env)
+      rescue Exception
+        close_tempfiles(env)
+        raise
+      end
+
       body_proxy = BodyProxy.new(body) do
-        env['rack.tempfiles'].each { |f| f.close! } unless env['rack.tempfiles'].nil?
+        close_tempfiles(env)
       end
       [status, headers, body_proxy]
     end
+
+    private
+
+    def close_tempfiles(env)
+      env['rack.tempfiles'].each(&:close!) unless env['rack.tempfiles'].nil?
+    end
   end
 end

lib/rack/utils.rb

@@ -57,12 +57,18 @@ def unescape(s, encoding = nil)
     end
     module_function :unescape
 
-    DEFAULT_SEP = /[&;] */n
+    DEFAULT_SEP = /& */n
 
     class << self
       attr_accessor :key_space_limit
       attr_accessor :param_depth_limit
-      attr_accessor :multipart_part_limit
+      attr_accessor :multipart_total_part_limit
+      attr_accessor :multipart_file_limit
+
+      # multipart_part_limit is the original name of multipart_file_limit, but
+      # the limit only counts parts with filenames.
+      alias multipart_part_limit multipart_file_limit
+      alias multipart_part_limit= multipart_file_limit=
     end
 
     # The default number of bytes to allow parameter keys to take up.
@@ -73,11 +79,15 @@ class << self
     # being too deep.  This helps prevent SystemStackErrors
     self.param_depth_limit = 100
 
-    # The maximum number of parts a request can contain. Accepting too many part
+    # The maximum number of file parts a request can contain. Accepting too many parts
     # can lead to the server running out of file handles.
     # Set to `0` for no limit.
     # FIXME: RACK_MULTIPART_LIMIT was introduced by mistake and it will be removed in 1.7.0
-    self.multipart_part_limit = (ENV['RACK_MULTIPART_PART_LIMIT'] || ENV['RACK_MULTIPART_LIMIT'] || 128).to_i
+    self.multipart_file_limit = (ENV['RACK_MULTIPART_FILE_LIMIT'] || ENV['RACK_MULTIPART_PART_LIMIT'] || ENV['RACK_MULTIPART_LIMIT'] || 128).to_i
+
+    # The maximum total number of parts a request can contain. Accepting too
+    # many can lead to excessive memory use and parsing time.
+    self.multipart_total_part_limit = (ENV['RACK_MULTIPART_TOTAL_PART_LIMIT'] || 4096).to_i
 
     # Stolen from Mongrel, with some small modifications:
     # Parses a query string by breaking it up at the '&'
@@ -203,7 +213,7 @@ def build_nested_query(value, prefix = nil)
     module_function :build_nested_query
 
     def q_values(q_value_header)
-      q_value_header.to_s.split(/\s*,\s*/).map do |part|
+      q_value_header.to_s.split(",").each(&:strip!).map do |part|
         value, parameters = part.split(/\s*;\s*/, 2)
         quality = 1.0
         if md = /\Aq=([\d.]+)/.match(parameters)
@@ -393,6 +403,9 @@ def rfc2822(time)
     end
     module_function :rfc2822
 
+    RFC2822_DAY_NAME = defined?(Time::RFC2822_DAY_NAME) ? Time::RFC2822_DAY_NAME : ["Sun", "Mon", "Tue", "Wed", "Thu", "Fri", "Sat"]
+    RFC2822_MONTH_NAME = defined?(Time::RFC2822_MONTH_NAME) ? Time::RFC2822_MONTH_NAME : ["Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul", "Aug", "Sep", "Oct", "Nov", "Dec"]
+
     # Modified version of stdlib time.rb Time#rfc2822 to use '%d-%b-%Y' instead
     # of '% %b %Y'.
     # It assumes that the time is in GMT to comply to the RFC 2109.
@@ -401,10 +414,9 @@ def rfc2822(time)
     # that I'm certain someone implemented only that option.
     # Do not use %a and %b from Time.strptime, it would use localized names for
     # weekday and month.
-    #
     def rfc2109(time)
-      wday = Time::RFC2822_DAY_NAME[time.wday]
-      mon = Time::RFC2822_MONTH_NAME[time.mon - 1]
+      wday = RFC2822_DAY_NAME[time.wday]
+      mon = RFC2822_MONTH_NAME[time.mon - 1]
       time.strftime("#{wday}, %d-#{mon}-%Y %H:%M:%S GMT")
     end
     module_function :rfc2109
@@ -418,17 +430,18 @@ def byte_ranges(env, size)
       return nil unless http_range && http_range =~ /bytes=([^;]+)/
       ranges = []
       $1.split(/,\s*/).each do |range_spec|
-        return nil  unless range_spec =~ /(\d*)-(\d*)/
-        r0,r1 = $1, $2
-        if r0.empty?
-          return nil  if r1.empty?
+        return nil unless range_spec.include?('-')
+        range = range_spec.split('-')
+        r0, r1 = range[0], range[1]
+        if r0.nil? || r0.empty?
+          return nil if r1.nil?
           # suffix-byte-range-spec, represents trailing suffix of file
           r0 = size - r1.to_i
           r0 = 0  if r0 < 0
           r1 = size - 1
         else
           r0 = r0.to_i
-          if r1.empty?
+          if r1.nil?
             r1 = size - 1
           else
             r1 = r1.to_i
@@ -438,6 +451,10 @@ def byte_ranges(env, size)
         end
         ranges << (r0..r1)  if r0 <= r1
       end
+
+      total_size = ranges.reduce(0) { |sum, range| sum + range.size }
+      return [] if total_size > size
+
       ranges
     end
     module_function :byte_ranges

lib/rack/version.rb

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+module Rack
+  RELEASE = "1.6.13.16"
+
+  # Return the Rack release as a dotted string.
+  def self.release
+    RELEASE
+  end
+end
+